Invincibility lies in the defense, the possibility of victory in the attack.
-Sun Tzu (The Art of War)
A cyber attack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network.
The categories of Attacks typically following five areas:
- Application attacks
- Misconfiguration attacks
- Shrink-wrap code attacks
- O/S attacks
- Entry Points that attackers will use to implement these types of attacks.
Many times, the applications they create aren’t thoroughly tested for any type of vulnerabilities while they’re writing their applications, which then obviously leaves many programming flaws that an attacker can take advantage of. The main reason why these usually take place is because, first of all, the developer may be under time constraints. He’s taking shortcuts to make sure he hits a deadline. He may be adding some features and sometimes those features create vulnerabilities within the application itself.Also there may not be enough time to do adequate Q&A.
Let’s remind a very famous case, Back in 2010 where McAfee released an update to their antivirus solution and in it, again they were under a rush to get this out, they didn’t have enough time to do a good quality assurance inspection of their update, and as a result, it caused tens of thousands of systems to crash and burn, and the reason why it did that is because the flaw that they had in their DAT file, which was their antivirus file or their database file, it caused their program to give out what they refer to as a false-positive, which means it was falsely identifying a file as being a positive virus, and therefore, it cleaned and that file was the SVC-host.exe file from Windows System file, which is used everywhere throughout the Windows environment many of your applications launch underneath or System Services launch underneath that particular file.
So what happened is once you applied the patch to your systems, and this was typically done through automation, users were greeted with a wonderful blue screen of death, which then resulted in a never-ending loop of system reboots. You have to remember, who else uses computers that this could be an issue for? Police departments, hospitals, school systems?
Another issue that sometimes comes up is when a developer comes out with an add-on, he’s not thinking about the security when he comes in with the add-on. In fact, I was working for a software company where they came out with an add-on, forgot to clean up the code, and it created some additional problems once they deployed. Again, that typically comes back to the QA environment.
The result of these causes creates Buffer Overflows or Cross-site Scripting. Also, Active content and Denial of Service and SYN attacks, and finally SQL Injection. All of these different types of attacks are typically thrown at an application server. Sometimes it’s a web application server.Other type of application attacks that can be place include Session Hijacking, if i can overload the system, you may be in the middle of a secure session between you and another machine, I am going to interrupt that session, take it over, and kick you off or dump you off and i am going to continue on in your session as if i was you. Also Man-in-the-Middle attacks are very common with application vulnerabilities. Also Directory traversal (dot-dot-slash attack), the goal of this particular attack is order the application to access a computer file that is not intended to be accessible.
The most common targets that we can actually see this take place against is going to be Web servers, application platform, frameworks, databases as well as hardware. What a misconfiguration attack is is this, is that a lot of times just because they don’t know any better, people deploy applications, OSs, hardware devices. There is some default settings that are play that if you don’t know what you are doing and you don’t reconfigure, you end up creating some really good targets of opportunity. For example, when you install an Apache server there is some defaults that are set up that if you don’t change them, you’re going to have some issues. Same thing with deploying out an application, not desktop-based applications, like Word and Excel, but server-based application. Also hardware, a lot of people go off and they buy pieces of hardware and it has this nifty little wizard that walks them through to install. For example default passwords for enterprise-based products such as switches and routers. Most of the times, these misconfiguration attacks take place because software is getting complex and when it comes to complexity, that typically adds to our security issues. Most of software and hardware devices that we purchase today are pre-configured with some security mechanisms or they have security mechanisms in play but there is a ton of settings that a lot of IT guys don’t take the time to go through and properly configure or break open a manual to see what the different setting do. When it comes to security training is a big issue, not just the end user, but also when you guys get a new device or new piece of software you’re going to deploy.
Shrink-wrap code attacks
These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. Attacker taking advantage of lazy developers take short cuts. Attacker don’t have to rewrite the code to show an installation display. They might find it as a software repository out there or a developer repository that people are sharing their different code. If they reuse that code over and over in their application or maybe through multiple applications and there is a flaw in that code that creates a vulnerability and attackers got multiple points that they can hit. If you are a developer you should think about that, if attacker really wanted to create some problems or create a lot of targets that attacker can go after, how about they create a piece of code that everybody’s going to really want, so maybe they tweak an existing one and maybe pit in a little, inject some of their own little special code and give it away for free and everybody will want to get it because it’s free and they don’t review the scripts or they don’t review the code itself. The other issue is that many times operating systems as well as applications come with built-in scripts and these scripts again are designed to make things easier for the user, for the end user, or the IT guy but because most people not aware of these particular scripts and attacker have done his vulnerability research, he can utilize his knowledge in the fact that there are built-in scripts to take advantage of your system. A real simplistic version of this would be for example, macros in Microsoft Word, this used to be a big issue back in the day. You could download a Word document and i could have a macro or an Excel document and I’d have a macro built into it. When you opened it up, it executes. Most of the antivirus products today will actually protect you from those types of attacks, as well as now, Microsoft Office doesn’t allow you to run a code or macro without your knowledge.
Many operating systems today include a very big number of services, as well as ports that could be opened up that are activated by default. The reason why they programmed this way is because the operating system manufacturer is trying to make it easy, as well as trying to make it fully featured and any time we get into and this adds to complexity. Most of the time attacker are actually looking for different ways to gain access to these known vulnerabilities based off the OS. Some of those vulnerabilities are actually created just by the defaults that get implemented. All OSs have their own defaults and some of the defaults are locked down really well. One of the biggest ways that attackers are able to get in via operating system attacks is because people have not gone through and updated their system by patching them. Patching and apply hot fixes is not necessarily easy depending on your infrastructure. Several companies have tried to make this easy, including Microsoft. They’ve come out with their own little product called Windows Update Services, but if you don’t have any training on it. You don’t know what you are doing, you may not actually implement it. Maybe it’s too much of a hassle. Always immediately apply critical updates, and that’s the case with every application and OS because critical updates don’t usually make huge changes, like a Service Pack. Some of these OS attacks can actually result in attacker implementing a Buffer Overflow attack as well as exploding network protocols and cracking passwords and possibly even breaking File System Security.
Remote Network; this type of entry point usually comes from internet or over the internet. An ethical hacker needs to try to break or find a vulnerability from outside. You don’t just test inside, we test from the outside and also just don’t test from the outside also test from the inside. That would include testing things such as your firewall,proxies,routers, making sure that there’s no updates or patches that need to be applied.